An easy-to-use exploit was publicly released this week for a patched vulnerability that affects the widely used Cisco AnyConnect Secure Mobility Client and Cisco Secure Client applications for Windows. Attackers could leverage the exploit to elevate their privileges on a victim's system and take full control of it.
Cisco Secure Client for Windows, previously known as Cisco AnyConnect Secure Mobility Client before version 5.0, is an application that integrates with multiple Cisco endpoint security and management platforms and technologies including its AnyConnect VPN and zero-trust network access (ZTNA) platform, which is popular with enterprises.
The software's popularity has made it a target for attackers before. In October 2022, Cisco updated its advisories for two privilege escalation vulnerabilities, which were originally patched in the AnyConnect Client in 2020, to warn customers that they were being exploited in the wild.
At the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) added the flaws, tracked as CVE-2020-3433 and CVE-2020-3153, to its Known Exploited Vulnerabilities Catalog that all government agencies have a deadline to patch.
Local privilege escalation vulnerabilities are not rated with critical severity because they require an attacker to already have some access to execute code on the operating system. However, this doesn't mean they are not serious or valuable for attackers, especially in a lateral movement context.
Employees who have the Cisco AnyConnect client on their company-issued computers so they can access the organisation's network via VPN don't typically have administrator privileges on their systems.
If attackers manage to trick a user to execute a malicious program, that code will run with their limited privileges.
That might be enough for basic data theft from the user's applications but won't allow for more sophisticated attacks like dumping local credentials stored in Windows that could potentially allow them to access other systems. Here is where local privilege escalation flaws come into play.
The CVE-2023-20178 exploit
The privilege escalation vulnerability Cisco patched earlier this month is tracked as CVE-2023-20178 and is caused by the update mechanism of Cisco AnyConnect Secure Mobility Client and Cisco Secure Client for Windows.
Researcher Filip Dragovic, who found and reported the flaw to Cisco, explains in his proof-of-concept exploit posted on GitHub that every time a user establishes a VPN connection, the client software executes a file called vpndownloader.exe.
This process creates a directory in the c:\windows\temp folder with default permissions and checks to see if it has any files inside, for example from a previous update. If any files are found, it will delete them, but this action is performed with the NT Authority\SYSTEM account, the highest privileged account on Windows systems.
Attackers can easily exploit this action by using symlinks (shortcuts) to other files they create resulting in an arbitrary file delete issue. How does a file delete become a file execution? By abusing a little-known feature of the Windows Installer service. Researchers from Trend Micro's Zero Day Initiative described the technique in detail back in March 2022 and credited it to a researcher named Abdelhamid Naceri, who found and reported a different vulnerability in the Windows User Profile Service that similarly led to arbitrary file deletion with SYSTEM privileges.
"This exploit has wide applicability in cases where you have a primitive for deleting, moving, or renaming an arbitrary empty folder in the context of SYSTEM or an administrator," the Trend Micro researchers said at the time.
Cisco updated its advisory for CVE-2023-20178 to warn users that a public exploit is now available. The company urges customers to upgrade Cisco AnyConnect Secure Mobility Client for Windows to version 4.10MR7 (4.10.07061) or later, and the Cisco Secure Client for Windows to version 5.0MR2 (5.0.02075) or later.